Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for
- Live
- ›
- About SARowe_NZ
About SARowe_NZ
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for
yesterday
41Posts
1Like
1Solution
Jun 05, 2020Last Visited
User
Activity
User
Profile
Latest posts by SARowe_NZ
| Subject | Views | Posted |
|---|---|---|
| 83 | Thursday | |
| 72 | Thursday | |
| 104 | Thursday | |
| 125 | Thursday | |
| 78 | Wednesday |
My Liked Posts
| Subject | Likes | Posted |
|---|---|---|
| 1 | 06-17-2019 01:07 PM |
Posts I Liked
| Subject | Likes | Author | Latest Post |
|---|---|---|---|
| 1 | |||
| 1 | |||
| 1 | |||
| 2 | |||
| 1 |
User Badges
Public Statistics
| Date Registered | 03-21-2017 04:29 PM |
| Date Last Visited | yesterday |
| Total Messages Posted | 51 |
| Total Likes Received | 1 |
Thursday
Thanks - given I'd be starting at the zero with python the learning curve would be too much and I'd need to dedicate too much time to justify it just for this. I have not looked at the powershell option though so that could definitely work, as I suspect it is much simpler for a script notice like me - I will check it out! Cheers, Shannon
... View more
Thursday
Hey, That was an example - its actually lots of different configuration elements (policies / objects / VPNs etc). I'm moving config around between firewalls and different Templates/Device Groups on our Panorama. For the most part it is quite granular (per policy / vpn etc) which is the challenge. If it was all of them I could just use the root x-path for (e.g.) policies as the root x-path would have no spaces, but unfortunately much of this has to be done at individual item level. Cheers, Shannon
... View more
Thursday
Hey Daniel, Thanks for that - appreciate your help! Unfortunately my knowledge of python is zero. Surely it must be possible to parse a space in the CLI x-path call. Cheers, Shannon
... View more
Tuesday
Hi, We are setting up user-ID with agents on member servers, checking domain controller event logs. We also run an internal globalprotect gateway. With both active and potentially providing the same user-ip mapping, which one does the firewall user? the one from GP or the one from the DCs? Thanks, Shannon
... View more
2 weeks ago
Hey - thanks for the response, unfortunately I have tried that and it still does not accept it. Does not like the syntax. I tried with single and double quotes. Thanks, Shannon
... View more
3 weeks ago
Note: just to clarify the actual policy name is " Policy Name Here" - the XML API Browser adds the "+" symbols shown in the original post automatically wherever a space exists, but the x-path call from the CLI does not seem to accept it.
... View more
3 weeks ago
Hi, The "load config partial from x-path" is great for copy or moving config but I can't work out how to get it to deal with spaces. e.g. if I want to copy a policy and the policy name has a space in it I can't get the correct syntax. The XML API Browser gives me an x-path of .../entry[@name='Policy+Name+Here'] however the CLI returns an error "Server error : Failed to compose effective config to load. input file doesn't have anything at ..." If I take the spaces out it works perfectly. How do you get x-path to process spaces? Thanks, Shannon
... View more
3 weeks ago
Hey,
Thanks for the response. Yes I have tried not selecting Option A and I do have a policy file and a Rulebase file.
The Objects_5_0.C definitely contains data.
Anyone have any ideas? Really hoping to use the Expedition tool for this as migrating these manually will be a nightmare...
Cheers,
Shannon
... View more
4 weeks ago
Hi,
I'm trying to migrate a CP to Palo Alto via Expedition.
I've been provided the CP files as per below screen dump but when I try and upload them Expedition fails with message "We need objects and policy files. Please upload them again."
How can I correctly import the CP config?
Thanks,
Shannon
... View more
04-13-2020
01:07 PM
Hi, Thanks for the replies. I also found this article: http://michlstechblog.info/blog/windows-set-permissions-on-a-service/ This will resolve the issue but need to find a way to deploy it easily (eg via GPO). I will take a bit more detailed look at your suggestions as suspect a combination will provide the answer. Surprised PAN don't have tamper protection enabled natively, like is available in Traps. Thanks again, Shannon
... View more
04-06-2020
05:58 PM
Thanks Varun, " With 5.1 GlobalProtect App, as an admin, you can set Disable Option to Not Allow on Dynamic App Config on the firewall to prevent users from disabling GlobalProtect." Will that also prevent users from stopping the actual GP service? We already have it configured to stop users from disabling it through the GP App, and that works, but they have found they can simply go into services.msc and disable the service, then kill the GP app through task manager. This effectively allows them to completely turn off GP. The only difference there is we are currently using agent version 4.1.x not 5.1.
... View more
04-06-2020
04:32 PM
Hi, We run always-on VPN. Our users have found they can disable GP by going to services.msc and disabling the service, then killing GP from task manager. Especially with everyone working from home at the moment this is quite a big deal and we need to find a way to prevent them from stopping the GP service (some kind of tamper protection similar to what Traps/XDR or other AV products have). Does anyone have any ideas on how we can stop this behaviour? Cheers, Shannon
... View more
- Tags:
- globalprotect
11-11-2019
04:33 PM
PANOS 8.1 Hi all - I have ongoing issues with trying to control downloading of files from CDNs. An easy example is .cab files used by Microsoft Office templates. When you download a template it goes off to a page off: templatesmetadata.office.net, but the actual file is stored in an Akamai cache. I have a policy matching a custom URL category, allowing that (I've also tried *.office.net), URL. This policy has no file blocking profile. This does not seem to work. However, if I exclude *.office.net from decryption it works around the issue and allows the download. I don't understand why it would match for the no-decrypt policy, but not the URL category policy. What is the correct and manageable way to allow downloads from CDNs where the container URL is known and trusted? Thanks, Shannon
... View more
09-29-2019
03:33 PM
Hey all,
I'm trying to get the config from a Cisco ISR 3925 into Expedition. It has picked up the services, but basically nothing else.
I particularly want the objects, ip nat statements and acl's.
I've tried the config from "show run" and "more system:running-config".
What am I missing?
Thanks, Shannon
... View more
06-17-2019
03:19 PM
For others benefit it looks like this may be related to a network adapter driver "feature" called NS Offload. We'd originally eliminated this as it occurred on both wired and wireless connections, but through trial and error I've found that disabling this feature seems to have an immediate impact and resolves the performance issues. It seems this feature is on both the wireless and wired NIC. Tried latest/different drivers but issue persists. There is not much documentation on it: https://www.intel.com/content/www/us/en/support/articles/000005585/network-and-i-o/wireless-networking.html My assumption is it is causing the issue when traffic is "offloaded" from the tunnel adapter to the real physical adapter. The 4G adapter does not have this feature which is why it was a non-issue when connecting the VPN over 4G.
... View more
06-17-2019
01:07 PM
1 Kudo
Hey, Thanks for taking the time to think through this and provide such detailed responses - I certainly appreciate it. 1) Differences in matching security policies. Does all of the traffic match the same security rule? Is the server response insepction enabled on one policy but not the other? If multiple policies for the different users are bing hit, do they have the same threat profile? SR: All traffic matches the same security policy.I actually tried creating a security policy with no filtering and DSRI enabled (I even created a custom app with app-override to bypass L7 processing). Same result, so does not seem to be related to filtering or traffic processing through the policy engine. 2) Decryption Policies: Does the traffic match the same decryption policies? SR: There is no decryption turned on in this scenario. 3) Different agent settings getting applied based on source location, and therefore the client behaves differently? SR: Single portal/gateway so all clients get the same agent settings I've logged a TAC case and will see what they say. Suspect I could be in for the long haul with this one... Thanks again.
... View more
06-16-2019
02:36 PM
Hi, No, it is a full tunnel. I did test with split tunnel, and creating host routes in the tunnel to the affected servers (this should ensure it checks that before the local network) but the result is the same. Note: even if this were the issue, the local network on the wired/wireless networks is not the same as the server network so it should not check these first. Thanks, Shannon
... View more
06-13-2019
07:11 PM
Hi, It is slow performance over GP VPN, but seems very specific to smb traffic. Other traffic is fine. Overlapping subnets is not an issue in this case - the local network is different to the server subnet where the smb traffic is delivered from. It is consistently slow over both wired and wireless networks (as the underlying internet), but, interestingly, 4G / cellular data does not have the same issue. I don't know how to explain that, as the wired and wireless networks we have tested with have no apparent commonality, they are all completely separate. Thanks, Shannon
... View more
06-13-2019
04:11 PM
Hi hcao, Just wondering if you found a solution to this? We seem to be having the same issue but am unable to diagnose the root cause. Thanks, Shannon
... View more
05-16-2019
05:13 PM
I've been getting this as well.
Your suggestion definitely allowed me to start MariaDB and log in to the GUI, thanks; but seems Expedition is corrupted "Remote Exception" with no additional detail as soon as I log in, and much of the dashboard and all of the Internal Checks is broken.
Thanks anyway, looks like I'll have to rebuilt.
... View more
02-25-2019
07:13 PM
Hi thanks for replying - I've made sure we're using the system account, not a service account. I've logged it with TAC and will update here if I get a resolution.
... View more
02-25-2019
03:41 PM
Hey did you get this fixed? I'm having the same issue. Thanks! Shannon
... View more
- Tags:
- get this
09-06-2018
04:51 PM
Hi, We have set quarantine to use a separate drive. Is it true that oldest files will be overwritten if the drive fills up? Also, if I physically remove the files (either manually or via script), will this have any impact on what is shown and available historically in ESM Console? e.g. if I remove a wildfire* file from the quarantine folder will the Traps console still be able to show full detail on the associated prevention event? Thanks, Shannon
... View more
07-09-2018
02:40 PM
Hi, Since upgrade to PANOS 8.1.2 RADIUS (for firewall administration) tries to connect to the IPv6 address of the Microsoft NPS server: 2018-07-10 09:33:14.305 +1200 debug: pan_make_radius_request_buf(pan_authd_radius_prot.c:384): RADIUS request type: PAP 2018-07-10 09:33:14.307 +1200 Warning: _handle_nas_ip(pan_authd_radius_prot.c:114): fe80::d6f4:beff:fec3:8beb%eth0: pan device nas IPv6 not found 2018-07-10 09:33:14.307 +1200 debug: pan_make_radius_request_buf(pan_authd_radius_prot.c:436): Optional attribute NAS-IP "fe80::d6f4:beff:fec3:8beb%eth0" is not in request, which is ok since NAS-Identifier "RADIUS-FirewallAdmins" is in it 2018-07-10 09:33:14.307 +1200 debug: _create_rw_sock(pan_authd_conn_mgmt.c:1446): create a UDP socket: 13 2018-07-10 09:33:14.307 +1200 Error: _create_rw_sock(pan_authd_conn_mgmt.c:1490): Retry 1: connect to server 2402:9900:311:1244:5003:9543:48d4:2af3:1812: errno=101(Network is unreachable) 2018-07-10 09:33:15.308 +1200 Error: _create_rw_sock(pan_authd_conn_mgmt.c:1490): Retry 2: connect to server 2402:9900:311:1244:5003:9543:48d4:2af3:1812: errno=101(Network is unreachable) 2018-07-10 09:33:16.309 +1200 Error: _create_rw_sock(pan_authd_conn_mgmt.c:1490): Retry 3: connect to server 2402:9900:311:1244:5003:9543:48d4:2af3:1812: errno=101(Network is unreachable) 2018-07-10 09:33:17.310 +1200 Error: _create_rw_sock(pan_authd_conn_mgmt.c:1497): reached max number of retries (3) to connect to server 2402:9900:311:1244:5003:9543:48d4:2af3:1812 The result is the request times out as the server does not respond on IPv6. I can't see how to stop this behaviour, or what is causing it. Note: If I change the RADIUS profile to an IP address, rather than a FQDN it works fine. If I perform a ping of the FQDN, from the MGT interface on the PAN, it resolves correctly to the IPv4 address so it does not seem to be a DNS issue. Note: We have not configured granular service routes, all services use the MGT interface. Any ideas what is causing this, and how I can stop it trying to use IPv6? Cheers, Shannon
... View more
03-27-2018
12:18 PM
Hi, We are getting several "WildFire Post Detection" events. The source signer is unknown (or not signed at all). Unlike files that are often identified as malware, only to be analysed in WildFire and come back as benign, these files remain as verdict "Malware". When I look at the WildFire report, static analysis seems to flag these with some suspicious activity (none of which looks particularly concerning in the context of the file and what we know of it). Dynamic analysis shows the file as benign. Can someone please explain the "WildFire Post Detection" logic? What is this and how does it work? The "Action" is "notification" - does this mean that the user will continue to be able to run the file, or simply that, as it is a "post detection" event, the initial attempt was allowed, but now WildFire has flagged the file, further attempts will be blocked? Is my understanding correct in that it was flagged as malware due to the static analysis items in the WildFire report, or is it possibly due to something else I am not seeing? How can I know for sure? I can't find a good explaination in the KB or admin guide on WildFire Post Detection events - everything refers to the event when the signer is trusted (which is not the case here). Thanks! Shannon
... View more
03-25-2018
01:55 PM
Hi, Sorry I think a bit more clarity is required. If NAT-T is required, but not enabled, the ipsec/phase2 should not stand up at all and your users wouldn't be able to get at anything (not simply RDP). NAT-T should impact the establishment of your new tunnels, I don't see how (short of a very unusual bug) that it would affect encap traffic inside another tunnel. Did the new tunnels fully establish? Could users access services over the new tunnel? Were services other than RDP affected on the other (historical) tunnels? Have you done a config audit and compared the last known working config, to the new config to verify that that was the only change? Are all your tunnels using static peer IP addressing, or are some of them configured as dynamic? Thanks, Shannon
... View more
03-25-2018
01:43 PM
If you traceroute and look at the associated session, can you see it egressing on the ISP1 interface, with the SNAT address of your new IP? If so, I think it sounds like the Internet does not have a route back to your new IP. Either your ISP will need to advertise this on your behalf, or you are using BGP. If the latter, have you added the new IP into your export statements for BGP and can you confirm it is being advertised (you can see this from the BGP RIP under network > routers)? Cheers, Shannon
... View more
Contact Me
| Online Status |
Offline
|
| Date Last Visited |
yesterday
|
Likes Given To
Latest Blogs
Latest Posts
Copyright 2007 - 2020 - Palo Alto Networks
